Is there an equivalent to mysql_real_escape_string() for email injection? I have a form where the user submits their email. I am afraid that someone could insert a comma separated list of emails and use my site for spamming.
You can use filter_var
to validate the e-mail address:
if (!filter_var($address, FILTER_VALIDATE_EMAIL)) {
// invalid e-mail address
}
Simply validate the field against a commonly found regular expression for single email address
function validate_email($e){
return (bool)preg_match("`^[a-z0-9!#$%&'*+\/=?^_\`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_\`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$`i", trim($e));
}
For those with older versions
/*
# PHP Email Validation for versions LESS than PHP 5.2.0)
*/
$strEmail= mysql_real_escape_string($_POST['email_e']);
if (!eregi("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,3})$", $strEmail)){
// valid email
} else {
// not a valid email
}
If your primary concern is, as the question states, to verify that users have not attempted to trick you into spamming for them by entering a comma-separated list of addresses, then isn't the obvious answer to simply check whether there are any commas in the user's input?
I found that good email validation is not that simple, so just decided to check if "@" and "." is in the string.
function email_valid($email){
/* EMAIL VALIDATION, CHECKS IF STRING CONTAINS "@" and "." */
if( strpos($email, "@") AND strpos($email, ".") ){
return TRUE;
}
else {
return FALSE;
}
}
P.S. if you don't use PDO prepared statements for writing to database, BE SURE to filter out symbols which may cause sql injection
It would be simpler to check the total string length - ie local part max 64 + the @ + domain section max 255 characters = 320 characters, but then spamming short addresses would still be possible. I am currently researching email validation for my project and found this interesting article email validation which explains in-depth valid email addresses and the rfc2822. There they suggest a much simpler way to validate that would prevent comma separated lists being an effective form of spamming.
$isValid = true;
$atIndex = strrpos($email, "@");
if (is_bool($atIndex) && !$atIndex)
{
$isValid = false;
}
else
{
$domain = substr($email, $atIndex+1);
$local = substr($email, 0, $atIndex);
// ... work with domain and local parts
}
This simply breaks the email address down by finding the last @ sign and declares all that passes before it to be the local part of the address which has a limit of 64 characters. If there is no @ sign then strrpos will return a bolean value of false. I will be making use of this in my validation function.
精彩评论